Attack of DoS/DDoS

Fraudsters are doing more than shutting down sites by flooding them with millions of automated inquiries. They’re infecting websites with malware that unsuspecting users are downloading on their devices. Here’s how to advise your organizations and clients to protect domain name servers that will prevent loss of revenue, productivity and reputation.

Jake Feeney, who worked for a cybersecurity company, thought he was savvy about computer technology trends. He replaced his devices every three years with the latest and greatest. So, he was perplexed when a favorite website wasn’t downloading on his laptop. A colleague told him that the company that owned the site probably had experienced a denial of service (DoS) or distributed denial of service (DDoS) attack. A fraudster might have flooded the company’s system with thousands, if not millions, of unwanted incoming inquiries that prevented others from accessing the website quickly or not at all.

While the fraudster distracted the company with the cyberattack, he then uploaded malware on the website company’s computer network. When the company finally reestablished its site, users unwittingly downloaded nasty viruses onto their devices.

This case is fictional, but it shows how DoS or DDoS attacks can compromise the speed of organizations’ network performance and steal valuable personally identifiable information and money from their clients and users.

The information in this article can help you advise your organizations and clients.

Increasingly thorny problem

DoS and DDoS attacks are escalating annually with no end in sight. They’re increasingly inflicting all types of organizations worldwide.

On July 24, 2019, US Signal, a data center services provider, released its State of Web and DDoS Attacks survey of 100 IT decision makers in U.S.-based companies with up to 750 employees. The study found that 83 percent of the organizations had experienced a DDoS attack within the previous two years (2017 and 2018). More than half of these companies experienced multiple attacks. Here are more of the report’s findings:

• On average, a DDoS attack caused 12 hours of downtime, and 30% reported 20 hours of downtime.
• More than a third considered revenue loss the main concern.
• 34% reported a loss of IT productivity.
• 20% reported reputational damage.
• 17% didn’t have or weren’t sure if they had a DDoS protection provider or tool.
• 81% experienced a cybersecurity attack on their web applications the previous two years.
• Nearly half of these companies experienced multiple cybersecurity attacks.
• The average financial impact of a cyberattack was $152,000.
• 91% of the subjects surveyed still consider their websites and application security satisfactory with three in five saying it was highly satisfactory.

“To combat these threats,” the survey reported, “many respondents are turning to managed service providers to help monitor and maintain a mixture of cybersecurity technologies, including cloud-based firewalls (73 percent), DDoS protection (71 percent) and email security (62 percent). In addition, 97 percent of participating organizations scan and test for vulnerabilities within their web applications.”

However, the best firewalls and intrusion prevention tools still aren’t always useful to defend against complex DoS and DDoS attacks.

Massive amounts of incoming data packets can quickly swamp and exceed the bandwidth of web servers, so they effectively fail.

The aftermath of responding to attacks can be expensive and time-consuming. They’re an effective way to distract and confuse security teams while inflicting serious damage to their brands, particularly if attackers use them to simultaneously cover up their malicious actions, such as data theft and malware downloads.

DoS/DDoS attacks defined

Cyberterrorists often design DoS and DDoS attacks for political causes and criminal purposes. And hackers, either malicious or non-malicious, use them both to disrupt or close down websites for profit or nonprofit reasons.

But these two types of attacks have their differences depending on the number of computers and networks that aggressors deploy. For example, a DoS attacker floods a victim’s server or network with malicious traffic (data requests or packets) that will overload its bandwidth and the organization’s means to immediately stop it, which will result in the interconnecting network, website or web application going offline and unavailable.

A DDoS attack is functionally similar, but it employs many devices — such as large botnets of compromised computers — to launch a series of simultaneous attacks to kick a victim’s website, web application or network offline thus also making them useless for legitimate users.

According to the SSL Store, in 2018, during one of the world’s largest DDoS attacks, hackers effectively flooded the web servers of an organization called GitHub with inbound traffic of 126.9 million data packets per second (PPS), measuring 1.35 terabits per second (tbps), which is extremely fast. A terabit is a unit used to measure data transfer rates. (See The Largest DDoS Attacks in history, hashed-out, May 29, 2019.)

A data packet includes the payload (or the part of transmitted data that’s the actual intended message) and headers containing certain types of metadata along with routing information to enable payload delivery. “Data packets are used in Internet Protocol (IP) transmissions for data that navigates the Web, and in other kinds of networks,” according to Technopedia. “Data packets also may have trailers that help refine data transmission.”

Massive amounts of incoming data packets can quickly swamp and exceed the bandwidth of web servers, so they effectively fail. The GitHub servers, after they were attacked, couldn’t immediately react to legitimate users who were attempting to address its website.

In 2019, two of Imperva’s unnamed clients (Imperva is a cybersecurity software and services company) experienced even larger DDoS attacks, according to The SSL Store. In the first attack, which occurred in January 2019, the cyberfraudsters directed 500 million packets per second (PPS) at Imperva’s client’s network or website. In April 2019, an attack against another Imperva client peaked at 580 million PPS. We’ll see even larger DDoS attacks because they’re relatively cheap to pull off.

Kaspersky, a cybersecurity and anti-virus provider headquartered in Moscow, said that the total number of DDoS attack indicators increased in the first quarter of 2019, according to a research report. The total number of attacks climbed by 84%, and the number of sustained (more than 60 minutes) DDoS sessions doubled. Kaspersky said the average duration of an attack increased by 4.21 times, and the segment of extremely long attacks posted a massive 487% growth. Here are additional report findings:

• China remains out in front in the geographical distribution of attacks.
• The geographical distribution of targets roughly mirrors the geographical distribution of attacks. The top three were: China (59.85%), the U.S. (21.28%) and Hong Kong (4.21%).
• Geographic top 10s saw relatively little reshuffling compared to previous quarters. Survey respondents didn’t see any additional sudden growth in botnet activity in unexpected places.
• The most dangerous day of the week for DDoS attacks was Saturday; Sunday remains the calmest.
• The maximum attack duration decreased by more than a day against the previous quarter, although the percentage share of sustained DDoS sessions continued to rise and amounted to 21.34% (versus 16.66% in Q4 2018).
• The share of Linux botnets decreased slightly, but it still remains predominant (95.71%).
• Most botnet command-and-control (C&C) servers are still located in the U.S. (34.10%), with the Netherlands in second place (12.72%) and Russia in third (10.40%). The once perennial leader, South Korea, returned to the top 10, albeit in last place (2.31%). C&C servers are computers that issue directives to digital devices that have been infected with rootkits or other types of malware, such as ransomware.

DNS servers explained

When you use a computer to access a website housed on another computer, it’s much simpler to remember and use a domain or hostname like ACFE.com than it is to remember the site’s IP address, such as 141.111.139.111. Each computer device has its own IP address, which allows it to interface and communicate with other devices within a global computer network.

When you enter a domain or host name on your computer, it’s sent to a domain name system (DNS) server — also known as the internet’s phonebook — to translate it into an IP address. Domain name servers contain a large database of host names and their related public IP addresses. The DNS is an integral part of the worldwide internet infrastructure that translates host names into IP addresses, which allow you to access the websites of other computers or send emails.

Because DNS servers provide a public service to the network, they’ve become a major attack vector for hackers. According to the International Data Corporation (IDC) 2019 Global DNS Threat Report, a “DNS (server) is a primary target for cyberattacks, causing business damage in terms of downtime and financial loss, as it remains one of the critical elements in delivering IT services.” Here are some key findings from the report:

• 82% of companies have experienced a DNS attack.
• The average number of attacks per company were 9.45 compared to 7.08 in 2018.
• The average cost per company to recover from a DNS attack was $1.7 million.
• 63% of the companies suffered application downtime compared to 30% in 2018.
• 45% of the companies suffered a compromised website compared to 45% in 2018.
• 13% lost sensitive information compared to 22% in 2018.
• 26% suffered brand damage compared to 23% in 2018.
• 27% experienced a loss of business compared to 22% in 2018.

According to the report, the spectrum of DNS attacks was much broader in 2019 compared to 2018, and the percentage of each attack type suffered has significantly increased. DoS/DDoS attacks have burgeoned from 20% in 2018 to 30% in 2019. Hackers are increasingly attacking DNS servers to launch attacks and generate other malicious activity.

Extra bonus: malware infections

During a DoS or DDoS attack, a victim organization is preoccupied in the frenzy with getting its website back online. But the culprit’s primary motive for flooding the site with millions of inquiries might have been to distract the victim organization’s attention so he could look for vulnerabilities to download malware, such as adware, spyware, ransomware or viruses. Then once the website is back, users will unwittingly upload malware on their devices.

For example, according to Lifewire, let’s say your computer is using Google’s DNS servers. You enter your bank’s website URL and find its familiar homepage. However, your computer contains malware from a DoS/DDoS attack that has changed your DNS server settings. Your system no longer contacts Google’s DNS servers but a hacker’s server that poses as your bank’s website. The fake bank site harvests your username and password. Lights out, game over. Your money is gone because it was automatically wired to the fraudster’s bank account. (See What Is a DNS Server? by Tim Fisher, Lifewire, Sept. 18, 2019.)

According to Fisher’s Lifewire article, malware attacks that hijack your DNS server settings might also redirect traffic away from your popular websites to ones that are full of advertisements or to fake sites that could scare you into believing your computer has been infected with viruses and coerce you to buy their software program to remove it.

Maintaining quality DNS

Your organization must maintain quality DNS to ensure service continuity. According to IDC’s 2019 Global DNS Threat Report, faulty or ineffective DNS services can negatively affect clients,’ partners’ and employees’ perceptions, and your e-commerce applications, which can result in lost revenue and a ruined brand.

Developing appropriate measures to help ensure the security of DNS servers is essential to reduce DoS and DDoS attacks.

Developing appropriate measures to help ensure the security of DNS servers is essential to reduce DoS and DDoS attacks. IDC recommends these DNS measures, some of which are quite technical, but I’ll explain what they mean:

• Implement internal threat intelligence to protect your enterprise data and services. Using real-time DNS analytics helps detect and thwart advanced attacks such as “domain generation algorithm” (DGA) malware and “zero-day malicious domains.” A hacker will use a DGA malware technique to periodically spawn many random fake domain names for an organization’s C&C server, which makes it very difficult for a malware analyst to identify the real domain name or IP address of the invading server and take it down. A zero-day malicious domain’s IP address contains malware, which attacks vulnerable systems. If an unsuspecting user visits an infected domain, malware could be loaded on their computer to carry out malicious activities. “Zero-day” is the day the exploit is identified; the longer it takes for an organization to identify it, the higher the probability the hacker has inflicted malicious activity.
• Use DNS for ensuring security compliance. Integrating DNS with IP address management (IPAM — a way to plan, track and manage the IP address space in a network) in network security orchestration processes helps automate management of security policies and keep them current, consistent and auditable.
• Leverage DNS’ unique traffic visibility in your network security ecosystem to help SOCs’ remediation. SOC, or “system on a chip,” refers to the integration of all the required electronic circuits of various functions onto one chip to form a complete system to perform complex functions. Implementing real-time behavioral threat detection over DNS traffic allows qualified security events rather than logs to be sent to SIEMs. (Security information and event management software products provide real-time analysis of security alerts.)

Configuring DNS servers to prevent attacks

Operators of DNS servers should ensure their systems are properly configured to prevent attacks. Rivalhost offers these 14 recommendations  to help protect against DoS and DDoS attacks:

• Create an action plan in advance.
• Monitor traffic levels.
• Pay attention to connected devices in the “internet of things.”
• Install extra bandwidth.
• Train your customers on security.
• Set up secured virtual private server hosting.
• Drop packets from obvious false sources of attack.
• Purchase a dedicated server that provides you with more bandwidth and control over security.
• Block spoofed IP addresses.
• Frequently install patches and updates — especially on open-source platforms like WordPress.
• Aggressively monitor “half-open connections,” which are vulnerable to attacks. In a half-open connection, two parties are trying to communicate but can’t because the connection at one end has crashed or has been removed. Hackers can exploit this problem until the connection is fixed.
• Use proxy protection, which provides an extra layer of DDoS protection for any website and keeps your website safe from complex cyberthreats. An example is a proxy server — a computer that serves as an intermediary between an individual’s computer and another host such as the internet. For example, when someone uses a computer to find a resource, such as a webpage on the internet, the request goes to the proxy server first. If the proxy server locates the page from a local cache of previously viewed pages, it sends it to the primary user thus bypassing the request to the internet. If the proxy server doesn’t find the requested webpage locally, it requests one from the internet by using one of its IP addresses. When the webpage is found on the internet, it’s returned to the proxy server, which forwards it to the user. Thus, the proxy server adds another layer of protection for the user.
• Filter UDP traffic with “remote black holing.” User Datagram Protocol (UDP) is a protocol for sending data packets over the internet via an IP address. Remote black holing is a filtering technique that allows someone to rid undesirable traffic before it enters a protected network. (See DDoS Protection: 14 Unique Ways to Protect Yourself from DDoS Attacks, by Todd Reagor, Jan. 23, 2017.) Examine familiar websites’ appearances to look for obvious imperfections such as spelling errors, changes in color, etc., which signal the sites are fake. Report them to IT so its technicians can resolve. DNS server operators should take measures to ensure systems are properly configured to prevent attacks.

Head off dastardly attacks

DoS and DDoS attacks are seriously threatening organizations’ data security and resources. You must protect your DNS servers. Overloading of websites with millions of automated inquiries are more than a nuisance. You lose revenue, productivity and reputation. And hackers might use them to download malicious malware that can harm your organization and customers. Be smart and get way ahead of the fraudsters.

Robert E. Holtfreter, Ph.D., CFE, is distinguished professor of accounting and research at Central Washington University. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the 2017 Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.